A popular approach to network security is the use of Intrusion Prevention Systems (IPS) that screen out network traffic from known attacks using a database of signatures entered by human analysts. While the IPS market is a thriving billion dollar market, there are some trends that indicate the need for new approaches. First, fast moving attacks such as the Slammer worm did much of their damage in the first 10 minutes, much faster than the hours required for human analysts to analyze the attack and provide a signature. Second, IPS devices are beginning to be integrated into network switches (e.g., Cisco, Force 10) which may require scaling the IPS to 10 and even 20 Gbps. At these speeds, the use of normalization and TCP reassembly in an IPS (motivated by the need to detect fragmented attacks and other evasions) becomes a bottleneck.
In this talk, I will suggest new approaches for dealing with these two problems. First, just as attackers use automation to launch fast moving attacks, perhaps IPS's should also use automation to *learn* signatures without human intervention. I will describe our work on the EarlyBird system at UCSD that automatically generated the signatures of all the worms that arrived on the UCSD campus in a few minutes after their arrival on campus, and ran at high speeds. Second, I will describe some recent work at Cisco, where we suggest splitting attack signatures into pieces in order to *detect* evasion attacks with minimal reassembly while allowing scaling to 20 Gbps and higher. The talk is based on work presented in OSDI 2004 on signature learning, combined with work that will appear in SIGCOMM 2006 on signature detection.
Gates 4B (opposite 490)